{
	"id": "1854984c-0ea9-4bf6-bae5-fdbc4e5c9225",
	"created_at": "2026-04-06T00:17:50.32534Z",
	"updated_at": "2026-04-10T03:21:21.754462Z",
	"deleted_at": null,
	"sha1_hash": "5b12e3e002b5d4ac5cc7f8a9616c934530cbb5c0",
	"title": "Tricks and Treats: GHOSTPULSE’s new pixel-level deception",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1955617,
	"plain_text": "Tricks and Treats: GHOSTPULSE’s new pixel-level deception\r\nBy Salim Bitam\r\nPublished: 2024-10-19 · Archived: 2026-04-05 13:19:39 UTC\r\nUpdate\r\nThis research covers an update to stage 2 of GHOSTPULSE, originally disclosed by Elastic Security Labs in October 2023.\r\nKey takeaways\r\n1. GHOSTPULSE has shifted from using the IDAT chunk of PNG files to embedding its encrypted configuration and\r\npayload within the pixel structure.\r\n2. Recent campaigns involve tricking victims with creative social engineering techniques, such as CAPTCHA\r\nvalidations that trigger malicious commands through Windows keyboard shortcuts.\r\n3. Elastic Security has enhanced its YARA rules and updated the configuration extractor tool to detect and analyze both\r\nthe old and new versions of GHOSTPULSE.\r\nPreamble\r\nThe GHOSTPULSE malware family (also known as HIJACKLOADER or IDATLOADER) has continuously evolved since\r\nits discovery in 2023, evading detection with increasingly developed techniques.\r\nIn its earlier iterations, GHOSTPULSE abused the IDAT chunk of PNG files to hide malicious payloads, as detailed in a\r\nprevious article from Elastic Security Labs. However, recent analysis has uncovered a significant change in its algorithm.\r\nInstead of extracting the payload from the IDAT chunk, the latest version of GHOSTPULSE now parses the pixels of the\r\nimage to retrieve its configuration and payload. This new approach involves embedding malicious data directly within the\r\npixel structure.\r\nIn this research publication, we’ll explore this new pixel-based algorithm and compare it with the previous IDAT chunk\r\ntechnique with updated detection rules.\r\nIntroduction\r\nRecently, we've observed several campaigns involving LUMMA STEALER using GHOSTPULSE as its loader, a topic also\r\nexplored by HarfangLab. These campaigns stand out due to their creative social engineering tactics. Victims are tricked into\r\nvalidating a CAPTCHA, but the website instructs them to execute a series of Windows keyboard shortcuts instead of the\r\nusual process. These shortcuts trigger a command copied to the clipboard by malicious JavaScript. This leads to a\r\nPowerShell script being executed, initiating the infection chain by downloading and executing a GHOSTPULSE payload.\r\nhttps://www.elastic.co/security-labs/tricks-and-treats\r\nPage 1 of 6\n\nSocial engineer lure website\r\nIn previous versions of GHOSTPULSE, it was delivered as part of a multi-file package. This package typically contained a\r\nbenign executable, an infected DLL loaded by the executable, and a PNG file storing the encrypted configuration.\r\nHowever, in the latest version, GHOSTPULSE has streamlined its deployment. Now, the entire package consists of a single\r\nfile—a benign but compromised executable that includes the PNG file within its resources section.\r\nLarge embedded PNG file in the resources section\r\nhttps://www.elastic.co/security-labs/tricks-and-treats\r\nPage 2 of 6\n\nTechnical analysis\r\nThe updated second stage of the malware retains much of its previous structure, including using the same hashing algorithm\r\nfor resolving Windows API names. However, the most significant change is in how the malware now locates its\r\nconfiguration, which holds both the payload and critical instructions for its deployment.\r\nThe following is a screenshot showing the pseudocode of both implementations:\r\nPseudocode code comparison between old and new algorithm\r\nIn earlier versions, GHOSTPULSE would parse a PNG file for an encrypted data blob, which was divided into chunks and\r\nstored sequentially. The malware’s parsing process was straightforward: it would search for a specific marker within the file\r\n—in this case, the IDAT string. Once found, the malware would check for a 4-byte tag that followed the string. The\r\nencrypted chunk would be extracted if this tag matched the expected value. This process continues for every occurrence of\r\nthe IDAT string that comes after until the full encrypted payload is collected.\r\nIn the new version, the encrypted configuration is stored in the pixels of the image. The malware constructs a byte array by\r\nextracting each pixel's RED , GREEN , and BLUE (RGB) values sequentially using standard Windows APIs from the\r\nGdiPlus(GDI+) library. Once the byte array is built, the malware searches for the start of a structure that contains the\r\nencrypted GHOSTPULSE configuration, including the XOR key needed for decryption. It does this by looping through the\r\nbyte array in 16-byte blocks. For each block, the first 4 bytes represent a CRC32 hash, and the next 12 bytes are the data to\r\nbe hashed. The malware computes the CRC32 of the 12 bytes and checks if it matches the hash. If a match is found, it\r\nextracts the offset of the encrypted GHOSTPULSE configuration, its size, and the 4-byte XOR key, and then XOR decrypts\r\nit.\r\nThe following diagram provides a visual breakdown of this process:\r\nUpdated configuration extractor\r\nhttps://www.elastic.co/security-labs/tricks-and-treats\r\nPage 3 of 6\n\nBased on these findings, we have updated our configuration extractor to support both versions of GHOSTPULSE. This tool\r\ntakes a PNG file as input and outputs the embedded payload. You can find the updated tool in our labs-releases repository.\r\nDetecting GHOSTPULSE with YARA\r\nThe original GHOSTPULSE YARA rule still prevents the final stage of an infection and is built into Elastic Defend. The\r\nupdated sample can be detected using the following YARA rules and will be included with Elastic Defend in a future release.\r\nElastic Security has updated the GHOSTPULSE YARA rules to identify this activity:\r\nrule Windows_Trojan_GHOSTPULSE_1 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-10-15\"\r\n last_modified = \"2024-10-15\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"GHOSTPULSE\"\r\n threat_name = \"Windows.Trojan.GHOSTPULSE\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $stage_1 = { 49 63 D0 42 8B 0C 0A 41 03 CA 89 0C 1A 8B 05 ?? ?? ?? ?? 44 03 C0 8B 05 ?? ?? ?? ?? 44 3B C0 }\r\n $stage_2 = { 48 89 01 48 8B 84 24 D8 00 00 00 48 8B 4C 24 78 8B 49 0C 89 08 C7 44 24 44 00 00 00 00 }\r\n condition:\r\n any of them\r\n}\r\nrule Windows_Trojan_GHOSTPULSE_2 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-10-10\"\r\n last_modified = \"2024-10-10\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"GHOSTPULSE\"\r\n threat_name = \"Windows.Trojan.GHOSTPULSE\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $a1 = { 48 83 EC 18 C7 04 24 00 00 00 00 8B 04 24 48 8B 4C 24 20 0F B7 04 41 85 C0 74 0A 8B 04 24 FF C0 89 04 24 E\r\n condition:\r\n all of them\r\n}\r\nhttps://www.elastic.co/security-labs/tricks-and-treats\r\nPage 4 of 6\n\nConclusion\r\nIn summary, the GHOSTPULSE malware family has evolved since its release in 2023, with this recent update marking one\r\nof the most significant changes.\r\nAs attackers continue to innovate, defenders must adapt by utilizing updated tools and techniques to mitigate these threats\r\neffectively. We are excited to share our newly developed configuration extractor tool, designed to analyze the older and\r\nnewer versions of GHOSTPULSE. This tool empowers researchers and cybersecurity professionals by providing enhanced\r\ncapabilities for understanding and combating these evolving threats. As the landscape of cyber threats changes,\r\ncollaboration, and innovation remain essential for effective protection.\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format.\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\n57ebf79c384366162cb0f13de0de4fc1300ebb733584e2d8887505f22f877077\r\nSHA-256\r\nSetup.exe\r\nGHOSTPULSE\r\nsample\r\nb54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae\r\nSHA-256\r\nSetup_light.exe\r\nGHOSTPULSE\r\nsample\r\nwinrar01.b-cdn[.]net\r\ndomain-name\r\nInfrastructure\r\nhosting\r\nGHOSTPULSE\r\nsample\r\nreinforcenh[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\nstogeneratmns[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\nfragnantbui[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\ndrawzhotdog[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\nvozmeatillu[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\noffensivedzvju[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\nghostreedmnu[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\ngutterydhowi[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\nhttps://www.elastic.co/security-labs/tricks-and-treats\r\nPage 5 of 6\n\nObservable Type Name Reference\r\nriderratttinow[.]shop\r\ndomain-nameLUMMASTEALE\r\nC2\r\nSource: https://www.elastic.co/security-labs/tricks-and-treats\r\nhttps://www.elastic.co/security-labs/tricks-and-treats\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/tricks-and-treats"
	],
	"report_names": [
		"tricks-and-treats"
	],
	"threat_actors": [],
	"ts_created_at": 1775434670,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b12e3e002b5d4ac5cc7f8a9616c934530cbb5c0.pdf",
		"text": "https://archive.orkl.eu/5b12e3e002b5d4ac5cc7f8a9616c934530cbb5c0.txt",
		"img": "https://archive.orkl.eu/5b12e3e002b5d4ac5cc7f8a9616c934530cbb5c0.jpg"
	}
}